HBGary DDNA for Encase Enterprise Quick Start Guide

HBGary DDNA for Encase Enterprise Quick Start Guide

Prerequisites • Must have Encase Enterprise with the Remediation Feature enabled on the SAFE • You must have access to a Role that has the Remediation Capabilities

DDNA Enscripts • Copy the HBGary DDNA enscripts into – C: Program FilesEncaseenscripts

Get Started… • Double-click the Encase icon on the desktop

Login to the SAFE Server DDNA for Encase Enterprise enscripts

Select Username, Enter Password *The Keymaster User can only administer the SAFE. i. e. can create users, roles, edit permissions and manage which machines are approved to be scanned. ** Do not use Keymaster account to perform ANY analysis, it will fail and NOT provide you with a descriptive error as of Feb 2010. Notice I’m using the user account Rich Cummings… enter your password here and click next. . . If you get the users password incorrect, you will not get past this screen.

Which SAFE are you connecting to? There is only one. RCSAFE. Dbl-click on your SAFE to bring up the configuration screen. Make sure you have the appropriate IP Address in there.

Dbl-Click on SAFE to bring up Config Window I know it says Machine Name but it really means IP Address. Most often the Machine Name will fail to resolve unless you have an updated lmhosts file. Ensure you have the proper IP Address and click OK. The Priority Settings The Priority here Settings configured will affect agents alterthe theencase performance on theofremote threads the encase machines scanning. agent on the remote machines.

Click Finish to Login…

Successful Login looks like this… Log-off is now an option The SAFE you’re logged into is in the Table View of SAFE’s If you see something like this go to the next slide

Launch DDNA from Enscript Tab

First Screen of DDNA for EE

DDNA Configuration Screen The IP Address here is for the HBGary License Server and password The License Server keeps track of DDNA agent licenses used Log options allow you to specify the location to store logging information about the DDNA scan Click Finish and the DDNA process begins…

The DDNA for EE Process 1. All permissions are controlled via EE 2. The DDNA agent is uploaded and installed into the remote machine - assuming correct permissions with remediation – C: HBGaryDDNA 3. DDNA agent checks into the License server to obtain a license. licx file – – This information is kept in the db on the license server No scanning will take place by DDNA. exe if there is no active License. licx for that specific agent 4. DDNA will verify the license, begin dumping physical memory, scan for DDNA, send results xml file to HBGary Active Defense Web Server for analyst review.